提取角色和附加策略的清单

时间:2019-11-04 20:29:42

标签: python amazon-web-services amazon-iam boto

我有一个python代码,可以给我一些假设的角色,我正在尝试对其进行修改以获取所有角色和附加的策略。 

#! /usr/bin/python


import boto
import urllib
import hashlib
import argparse

parser = argparse.ArgumentParser(description='outputs security configuration of an AWS account')
parser.add_argument('-a', '--access_key_id', required=True, help='access key id')
parser.add_argument('-k', '--secret_access_key', required=True, help='secret access key')
parser.add_argument('-t', '--security_token', help='security token (for use with temporary security credentials)')
parser.add_argument('-r', '--role', help='role to assume')
parser.add_argument('-v', '--verbose', action="store_true", help='enable verbose mode')
parser.add_argument('-d', '--debug', action="store_true", help='enable debug mode')

args = parser.parse_args()
access_key_id = args.access_key_id
secret_access_key = args.secret_access_key
security_token = args.security_token
sts = boto.connect_sts(access_key_id, secret_access_key)

if args.role:
    assumed_role = sts.assume_role(args.role, "SecAudit")
    access_key_id = assumed_role.credentials.access_key
    secret_access_key = assumed_role.credentials.secret_key
    security_token = assumed_role.credentials.session_token


def debug(str):
    if args.debug:
        print str


def verbose(str):
    if args.verbose or args.debug:
        print str


def sha256(m):
    return hashlib.sha256(m).hexdigest()


def config_line(header, name, detail, data):
    return header + ", " + name + ", " + detail + ", " + data


def config_line_policy(header, name, detail, data):
    verbose("===== " + header + ":  " + name + ":  " + detail + "=====")
    verbose(data)
    verbose("=========================================================")
    return config_line(header, name, detail, sha256(data))


def output_lines(lines):
    lines.sort()
    for line in lines:
        print line


iam = boto.connect_iam(access_key_id, secret_access_key, security_token=security_token)
verbose("Getting account summary:")
summary = iam.get_account_summary()
debug(summary)
output_lines([config_line("iam:accountsummary", "AccountMFAEnabled", "", str(summary["AccountMFAEnabled"]))])

# IAM Roles
verbose("Getting IAM role info:")
role_policy = []
roles = iam.list_roles().list_roles_response.list_roles_result.roles
for role in roles:
    verbose("Role: " + role.role_name)
    # Policy controling use of the role (always present)
    assume_role_policy = role.assume_role_policy_document
    assume_role_policy = urllib.unquote(assume_role_policy)
    role_policy.append(config_line_policy("iam:assumerolepolicy", role.role_name, role.arn, assume_role_policy))


    #Policies around what the assumed role can do
    policies = iam.list_role_policies(role.role_name)
    policies = policies.list_role_policies_response.list_role_policies_result.policy_names
    for policy_name in policies:
        policy = iam.get_role_policy(role.role_name, policy_name)
        policy = policy.get_role_policy_response.get_role_policy_result.policy_document
        policy = urllib.unquote(policy)
        role_policy.append(config_line_policy("iam:rolepolicy", role.role_name, policy_name, policy))
    debug(policies)
output_lines(role_policy)

但这只是获取假定的角色。我想获取所有角色和附加的策略。

我该怎么做

0 个答案:

没有答案
相关问题
最新问题